Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authority Management Systems Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Middleware Architecture Committee for Education, Internet2.

Published byKelly Kelly Modified over 8 years ago

Similar presentations

Presentation on theme: "Authority Management Systems Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Middleware Architecture Committee for Education, Internet2."— Presentation transcript:

1 Authority Management Systems Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Middleware Architecture Committee for Education, Internet2 Internet2 Fall Member Meeting, Los Angeles, 29-Oct-02 Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Middleware Architecture Committee for Education, Internet2 Internet2 Fall Member Meeting, Los Angeles, 29-Oct-02

2 29-Oct-02 2 Authority Mgmt System Topics Audience: Authority Management System champions in the making – and their victims Glimpses of some real-world Authority Management Systems Dimensions of difference & similarity Interoperation of Authority Management systems

3 29-Oct-02 3 Focus on first of two fundamental aspects of Authorization: “Build-time:” Edit, compile, transform and propagate authority information relating to authorization & policy vs. “Run-time:” Access control decisions by resource (manager) at time of actual request based on system-specific data/processes

4 29-Oct-02 4 MACE vs. The Authority Management Problem

5 29-Oct-02 5 Models: MIT Roles DB AuthZ Triples Authorization [Authority] = Person + Function + Qualifier (for OKI, a “person” will be generalized to an “agent”) Lets someone do something somewhere: Who? =Person What? =Function Where? =Qualifier

6 29-Oct-02 6 Models: MIT Roles DB AuthZ Why Qualifiers? Often a person is authorized to perform a function only within an org. area (school, dept., lab, etc.) or within a financial area PERSONFUNCTIONQUALIFIER JoeReview SalariesDept. of Biology SallyCreate RequisitionsAcct. 12345 FredApprove Reqs.Accts. in Biology AnnGrade StudentsCourse 6.001

7 29-Oct-02 7 Stanford Authority Registry An Authority Registry -- a managed repository of authority assignments -- not a run-time Access Control System. Authority is defined first in business terms, without reference to any specific system or application. The Authority Registry separates user visible portions of authority management, expressed in business terms, from internal system components expressed in technical terms. Applications must read and translate authority information into local terms.

8 29-Oct-02 8 Stanford Authority Registry

9 29-Oct-02 9 Stanford Authority Registry Functions The basic unit of Business work. A person’s job will consist of one or more Functions. Authority assignments are at the Function level. Functions consist of one or more Tasks. Tasks A discrete unit of work, typically a piece of what is needed to accomplish a function. Represents a set of privileges that must be be set together. Are reusable

10 29-Oct-02 10 Stanford Authority Registry Entitlements Atomic unit of authority control. An abstraction of system specific privileges, but not in any system’s specific language. What applications read to set their internal security.

11 29-Oct-02 11 Ponder from Imperial College, London Entering the Space Age Example domain expression: /A/B/D

12 29-Oct-02 12 Ponder

13 29-Oct-02 13 Ponder

14 29-Oct-02 14 Ponder

15 29-Oct-02 15 Ponder download and further information The Ponder toolkit can be downloaded under a GNU Lesser GPL from Imperial College in London: http://www-dse.doc.ic.ac.uk/Research/policies/index.shtml Documentation plus several technical papers on Ponder are available at that site as well

16 29-Oct-02 16 National Institute of Standards & Technology RBAC Model Role-based Access Control (RBAC) formal model with provable properties http://csrc.nist.gov/rbac/

17 29-Oct-02 17 Example: Bank Role/Role Associations In NIST RBAC Model

18 29-Oct-02 18 NIST RBAC Model Reference implementation including management tools for role engineering NIST seeking to promote this as a standard: A Proposed Standard for Role-Based Access Control David F. Ferraiolo National Institute of Standards and Technology Ravi Sandhu George Mason University Serban Gavrila VDG Incorporated D. Richard Kuhn and Ramaswamy Chandramouli National Institute of Standards and Technology December 18, 2000

19 29-Oct-02 19 UWisc Project Planning: Cascading phrases re controlled access to resources Systems of record Identify Persons Affiliations / Attributes Entitlements Services Service Providers Who have That are mapped to That determine eligibility for That are offered by

20 29-Oct-02 20 UWisc: Separates policy from technical architecture and implementation Ask the technologists To build a system that can easily accommodate new sources, people, services & mappings. Ask the stakeholders (sponsors, service providers,…) To agree on policies & procedures in terms of this cascading diagram Yields a cleaner separation of the two activities User visible vis-à-vis system internal a la Stanford Gives the two groups a shared language

21 29-Oct-02 21 A key point of difference between these systems: They all group objects to create scalable, manageable systems But each model aggregates at different points: MODELPOINT(S) OF AGGREGATIONExample MIT Roles DBQualifierDept. of Biology Stanford AuthorityTask, Function {, Role}Office Admin PonderSubject & Target “Domains”/faculty/physics NISTRole HierarchiesSurgeon Doctor

22 29-Oct-02 22 Interop challenge: Gateway(?) for mobile authority information / assertions / policy SAML, XACML (Security Assertions Markup Language, eXtensible Access Control Markup Language (OASIS standards body) Permis Attribute Certificates Grid Proxy Certificates SPKI, SDSI Certificates MS Kerberos PAC (Authorization data) in Session ticket (see next slide) AGE

23 29-Oct-02 23 Target Auth data:  User SID  Group SIDs  Privileges Kerberos LSA Session ticket Server application Building An Access Token From A Kerberos Ticket Kerberos package gets auth data from session ticket Impersonation token Token Local Sec Authority builds access token for security context Server thread impersonates client context

24 29-Oct-02 24 Do AuthInfo systems themselves ever need to interoperate? Well, we do want low-impedance resource access across administrative boundaries But do we need to manage Authority Information across those boundaries? REALLY hard, especially if the underlying models aren’t commensurable Minimalist approach: Net out AuthorityInfo to entitlements and move entitlements between domains

25 29-Oct-02 25 Conclusion; “Back to you, RL.” We’re still throwing a little salt, circling in the arena… But the payoff for middleware services investment really seems to lie in the authorization (authority management + access control management) space

Download ppt "Authority Management Systems Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Middleware Architecture Committee for Education, Internet2."

Similar presentations

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu www.list.gmu.edu.

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
ENGINEERING AUTHORITY AND TRUST IN CYBERSPACE: A ROLE-BASED APPROACH Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University.

ENGINEERING AUTHORITY AND TRUST IN CYBERSPACE: A ROLE-BASED APPROACH Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University.
Engineering Authority and Trust in Cyberspace: The OM-AM and RBAC Way Prof. Ravi Sandhu George Mason University www.list.gmu.edu.

Engineering Authority and Trust in Cyberspace: The OM-AM and RBAC Way Prof. Ravi Sandhu George Mason University
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
ROLE BASED ACCESS CONTROL

ROLE BASED ACCESS CONTROL
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
1 A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC Prof. Ravi Sandhu Executive Director and Endowed Chair DBSEC July 11, 2012.

1 A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC Prof. Ravi Sandhu Executive Director and Endowed Chair DBSEC July 11, 2012.
TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.

TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.
Attribute-Based Access Control Models and Beyond

Attribute-Based Access Control Models and Beyond
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.

Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.
The EC PERMIS Project David Chadwick

The EC PERMIS Project David Chadwick
“A Service-enabled Access Control Model for Distributed Data” Mark Turner, Philip Woodall Pennine Forum - 16 th September 2004.

“A Service-enabled Access Control Model for Distributed Data” Mark Turner, Philip Woodall Pennine Forum - 16 th September 2004.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
Fall 2010/Lecture 301 CS 426 (Fall 2010) Role Based Access Control.

Fall 2010/Lecture 301 CS 426 (Fall 2010) Role Based Access Control.
A summary of ebXML (the new World Standard for e-Business) Dave Welsh Collaborative Domain Corporation.

A summary of ebXML (the new World Standard for e-Business) Dave Welsh Collaborative Domain Corporation.

Similar presentations

Ads by Google